Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting

Customers of the SmokeLoader malware have been detained

Europol logo and badge pictured on the exterior of the Europol headquarters in The Hague, Netherlands.
(Image credit: Getty Images)
Emma Woollacott's avatar
By
published
in News

Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.

Following the Operation Endgame investigation, major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, were shut down last year.

According to Europol, analysis of the contents of a seized database enabled it to identify customers of the SmokeLoader pay-per-install botnet, operated by an individual known as ‘Superstar’.

The law enforcement agency has now made arrests, carried out house searches, and conducted arrest warrants or ‘knock and talks’.

"Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities," Europol said.

"Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame."

The malware had infected millions of computers around the world, according to the FBI. SystemBC facilitated anonymous communication between an infected system and a command-and-control servers.

Meanwhile, Bumblebee was distributed mainly via phishing campaigns or compromised websites, and was designed to enable the delivery and execution of further payloads on compromised systems.

SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. Similarly, IcedID - also known as BokBot - had been further developed to carry out a range of crimes as well as the theft of financial data.

Europol hails success of largest botnet takedown

As part of last year's operation - the largest ever against a botnet - more than 100 servers were shut down or disrupted and over 2,000 internet domains tied to the hacking activities were seized.

But while last May's activities were focused on the high-level players who were using ransomware, for example, this latest set of raids is designed to mop up the customers of Cybercrime as a Service providers.

Law enforcement agencies in several countries were able to link online personas and their usernames to actual individuals.

"When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of digital evidence stored on their personal devices," Europol said.

"Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation."

Europol said it’s not quite finished yet, either. The law enforcement agency is still investigating possible leads, revealing it has more suspects in the crosshairs.

MORE FROM ITPRO

TOPICS
Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
  • How to Choose the Best MFA Methods
    How to Choose the Best MFA Methods

    whitepaper

  • The CISO’s Guide to Stopping Ransomware
    The CISO’s Guide to Stopping Ransomware

    whitepaper

You might also like
View More ▸